RE: Multiple small switches vs. a single big one; Granul arity of control

[Phil Burg <Phil.Burg () colesmyer com au>]

Dale W. Carder wrote:

> I personally believe that the idea of separating vlans onto separate
switches
> is fueled by paranoia and inferior switch architectures.  Separating vlans
> onto their own switches does not scale.  If it does for your environment,
I
> envy you :-)

> There are economies of scale in having bigger switches with more vlans,
> and trunking between them.  The 6500 series switches and competing
> products are marketed towards that idea.
[...]
> The switch enforces the separation policy between vlans.  The FWSM is a
> firewall between vlans.

At the end of the day, IMNSHO, it's all about risk, and your organisation's
appetite for it.  Using the (rather simplistic) approach that I like to
take,
in the absence of evidence to the contrary, increased complexity equates to
increased risk.  (Yes, this may be paranoia, but my employer likes my
paranoid
streak).

Therefore, when you compare separate small switches separated by a firewall 
to one large switch with multiple VLANs separated by an integrated firewall,
the former is less risky than the latter.  This doesn't mean it's
objectively
a worse solution, just that a more informed business decision can now be
made, weighing up the benefits of the latter (the economies of scale you 
mentioned) against the risk if something goes wrong (including both
malicious
activity and stressed comms engineers misconfiguring a VLAN at 4am...)

My opininon, not my employer's.
Phil
--
Phil Burg
Senior Security Adviser
IT S&A Security and Governance
Coles Myer Ltd
(03) 9483 7165 / 0409 028 411

Attachment: InterScan_Disclaimer.txt
Description: